It’s more important than ever to create secure applications during the development phase, but very few strides have been made along that path, according to Pieter Danhieux, an instructor at the SANS Institute and co-founder of the security and hacking conference BRUCON in Belgium. The teaching of application design and programming needs to undergo a substantial change because students are not taught and have not practiced secure design processes at an early enough stage, he asserted.
“Programming students will typically attend a single module on security during a course and it often comes in the later part of the educational cycle,” he explained. “The result is often a class of very talented developers but they don’t think with security in mind.”
That leads to poor security practices such as building applications with buffer-overflow and SQL injection vulnerabilities that are widely exploited by hackers. Danhieux also said that many of the fundamental mistakes that he was exploiting as a penetration tester 10 years ago are still the most common issues today.
Approaches for combatting data breaches, from development to client password policies, need to be supercharged in the face of a growing threat, he said. “The US is one of the only countries with a well-developed disclosure culture around security breaches, so the assumption might be that there are relatively few incidents and that America is the epicenter,” Danhieux said. “I can tell you for a fact that the scale of the attacks is at epidemic proportions and it is organized, well-funded and global.”
Thus, website designers, architects and developers must understand and learn web app vulnerabilities in-depth with tried-and-true techniques for finding them using a structured testing regime. “The goal is to learn the skills of an attacker so that students can become better defenders,” Danhieux said.
That’s not to say human error isn’t still a big part of the problem. “You can’t say it’s just down to insecure program design,” he noted. “The bigger problem is still due to insecure passwords, over-privileged users and poorly patched systems.”
Danhieux is familiar with the reality on the ground in his work for BAE Systems Detica, an information intelligence company. “We deal with incidents and security assessment results every day, and when you look at the root cause analysis, 80% of the time it was one of these issues,” he said.